SANS ISC (cache) brings us a report (cache) of a new method spammers are using to put links into blogs using hidden text. We don't consider this a WordPress vuln, but rather a class of problems revolving around hidden test. This is very reminiscent of the iframe attacks using hidden iframes. In the spirit of making the world a nicer place, we're publishing Modsec rules to protect against this problem. You can download the rules from here. Right now its one rule, but as we discover other ways to protect against this we'll update the file. If you are running ASL or have a subscription to the real time rules, this is included in the latest update automatically.

We've been providing 2.5 signatures and rules to our ASL customers for over a year, and are proud to announce the availability of these rules through the GotRoot? lab website. The free rules are delayed 30 days. Want the rules in real time? Well sign up now! Its only $79.95 a year for a real time subscription to the most comprehensive and widely used WAF rules on the Internet!

We've been been working like mad men on ASL (especially Scott), and we're at the final Beta. 2.0 final is just around the corner. The GUI is slick, tons of new security features, vulnerability scanner, built in support portal and more. Check it out on the ASL website.

For anyone that had problems logging into their accounts, I do apologize for the delay fixing the site. The problem was very very very convulted. Ah the joys of moving boxes, upgrading PHP, MYSQL and Javascript. Logins should be working again for everyone.

Ryan Barnett and I will be giving a talk on Virtual Patching at SANS CDI 2007. Our talk is on December 14th, from 7:30PM to 8:30PM. Drop by and join us, and after please join us for beers and friendly banter.

Heres a link to the official SANS CDI page:

https://www2.sans.org/cdi07/night.php?portal=821dc21b4842373211f7acb46edf6b96

I recently put together a tips and advice article for Virtual Patching for SANS (cache). You can read it here Virtual Patching for Web Applications with ModSecurity (cache). Technical Review of the article was by Ryan Barnett and GIAC Advisory Board, which I greatly appreciate.

iframe attacks seem to be taking a hold with many vulnerable websites. The problem obviously being vulnerable ap plications, which we would all like to see fixed. However, not everyone can be so lucky as to have either perfect applications, or perfect countermeasures against these vulnerabilities. Enter output filtering. We've put together a special set of rules for anyone running apache. This will filter out all your iframe attacks.

2.0 compatible rules were released today. Consider these beta quality rules until further testing is done. Also, the format of the rules has changed considerably in 2.0, so if you want production quality we recommend you use the 1.9 rules with modsecurity 1.9.4.

Asterisk users of broadvoice may have noticed a problem with not recieving inbound calls today. It appears that something changed in the way Broadvoice sends their SIP packets, but we have the solution: Just make the following change to your extensions.conf file:

Look for the extensions.conf context for your incoming calls, in our case, its [from-broadvoice], and add this line at the end of your context:

exten => YOURPHONENUMBER,1,Goto(from-broadvoice,1,1)

Make sure you change the "from-broadvoice" to the name of your incoming calls context.

The current version of Microsoft AntiSpyware? Beta 1 (version 1.0.701) contains a bug which causes issues for multiple users of a Windows XP system.

Symptoms of the issue are: 1) When a user logs in, they recieve an "Unexpected Error; quitting" messagebox. 2) When uninstalling or installing MSAS, the user recieves an "Error 1904.Module C:\Program Files\Microsoft Antispyware\XXXXXXXX.dll failed to (un)register. HRESULT -2147220473" on multiple dlls, even when they are an Administrator.

The issue arises from improper registry key permissions.

We have come up with a non-optimal workaround for the issue (click Read More...), and we are currently working on a more advanced solution.

We have not tested MSAS for the issue on other systems at this time.

I've added a new ruleset to the collection, "recons.conf" that contains the start of a ruleset to detect and block attacks that originate from, so called, "Google Hacks" - or the art of detecting vulnerable software by simply searching for it with Google. These rules only work with modsecurity 1.9.x and up, as I'm also starting the process of adding ids, revs, severity and msg variables to the rules, so if you are using modsecurity 1.8.x, these rules will not work for you - and may not even load.

I've made some changes to the main entry page to the website. If you go directly to the main URL: http://www.gotroot.com, you should get the new entry page. Many sites have the articles page linked to as the starting page, and that will always work, so if you came into the site that way don't worry about it, but do try the new entry page and let me know what you all think about it.